User's tokens can are frozen for extended periods of time without their possible knowledge or control.
Proof of Concept
User calls setLockDuration to lock tokens for 5 days
gas price goes up and tx doesn't execute for 2 days.
It then executes due to lowered gas price
Now comes day 5 when user needs her tokens. But she cannot unlock for 2 more days.
User has some loans and they will get liquidated due to missing collateral.
This is temporary Freezing of Funds which is a high issue. The probability of it happening is medium, because transactions get delayed in the mempool all the time.
This kind of issue has been confirmed medium recently.
Tools Used
Recommended Mitigation Steps
Add a unlockTimeLatest deadline parameter for the locking function. Fill it with some reasonable deadline, eg 1 hour from tx submission time.
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol/#L245
Vulnerability details
Impact
User's tokens can are frozen for extended periods of time without their possible knowledge or control.
Proof of Concept
setLockDurationto lock tokens for 5 daysThis is temporary Freezing of Funds which is a high issue. The probability of it happening is medium, because transactions get delayed in the mempool all the time.
This kind of issue has been confirmed medium recently.
Tools Used
Recommended Mitigation Steps
Add a
unlockTimeLatestdeadline parameter for the locking function. Fill it with some reasonable deadline, eg 1 hour from tx submission time.Assessed type
Invalid Validation